Tutorial: Getting started with Verified Access

Use this tutorial to get started with AWS Verified Access. You'll learn how to create and configure Verified Access resources.

Before adding this application to Verified Access, the application was only accessible over your private network. At the end of this tutorial, specific users can access the same application over the internet, without using VPN.

Note

This example doesn’t demonstrate integration with your device-based trust provider. For this example, we are only working with an identity-based trust provider.

Prerequisites

The following are the prerequisites for this tutorial:

• To demonstrate this example for using Verified Access, we will be using two AWS accounts. One account will host your target application, and the Verified Access resources will be created in the other account.

• Enable AWS IAM Identity Center in the AWS Region that you're working in. You can then use IAM Identity Center as a trust provider with Verified Access. For more information, see Enable IAM Identity Center in the AWS IAM Identity Center User Guide.

• A public hosted domain and the permissions required to update DNS records for the domain.

• An application running behind an internal load balancer in an AWS account. The example application domain name we'll use is www.myapp.example.com.

• Make sure your IAM policy has all required permissions to create an AWS Verified Access instance noted here Policy for creating Verified Access instances.

Step 1: Create a Verified Access instance

Use the following procedure to create a Verified Access instance.

To create a Verified Access instance

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the Amazon VPC navigation pane, choose Verified Access instances, and then Create Verified Access instance.

3. (Optional) For Name and Description, enter a name and description for the Verified Access instance.

4. For Trust provider, keep the default option.

5. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

6. Choose Create Verified Access instance.

Step 2: Configure a trust provider

You can set up AWS IAM Identity Center as your trust provider.

To create an IAM Identity Center trust provider

1. In the Amazon VPC navigation pane, choose Verified Access trust providers, and then Create Verified Access trust provider.

2. (Optional) For Name tag and Description, enter a name and description for the Verified Access trust provider.

3. Enter a custom identifier to use later when working with policy rules for Policy reference name. For example, you can enter idc.

4. Under Trust provider type, select User trust provider.

5. Under User trust provider type, select IAM Identity Center.

6. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

7. Choose Create Verified Access trust provider.

Step 3: Attach your trust provider to the instance

Use the following procedure to attach the trust provider to your Verified Access instance.

To attach a trust provider to your instance

1. In the Amazon VPC navigation pane, choose Verified Access instances.

2. Select your instance.

3. Choose Actions, Attach Verified Access trust provider.

4. For Verified Access trust provider, choose your trust provider.

5. Choose Attach Verified Access trust provider.

Step 4: Create Verified Access group

Let's create a group that you can use for the endpoint you will create in the next step.

To create a Verified Access group

1. In the Amazon VPC navigation pane, choose Verified Access groups, and then Create Verified Access group.

2. (Optional) For Name tag and Description, enter a name and description for the group.

3. For Verified Access instance, choose your Verified Access instance.

4. For Policy definition, keep this blank. You will create a policy later in this tutorial.

5. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

6. Choose Create Verified Access group.

Step 5: Share your Verified Access group through AWS Resource Access Manager

In this step, you'll share the group you just created with the AWS account in which your target application is running. To share a Verified Access group, you must add it to a resource share. If you do not have a resource share, you must first create one.

If you are part of an organization in AWS Organizations, and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared Verified Access group. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared Verified Access group after accepting the invitation.

Follow the steps in Create a resource share in the AWS RAM User Guide. For Select resource type, choose Verified Access group, and then select the check box for your Verified Access group.

For more information, see Getting started in the AWS RAM User Guide.

Step 6: Add your application by creating an endpoint

Use the following procedures to create an endpoint. This step assumes that you have an application running behind an internal load balancer from Elastic Load Balancing.

To create a Verified Access endpoint

1. In the Amazon VPC navigation pane, choose Verified Access endpoints, and then Create Verified Access endpoint.

2. (Optional) For Name tag and Description, enter a name and description for the endpoint.

3. For Verified Access group, choose your Verified Access group.

4. For Application details, do the following:

   1. For Application domain, enter a DNS name for your application.

   2. Under Domain certificate ARN, select the Amazon Resource Name (ARN) of your public TLS certificate.

5. For Endpoint details, do the following:

   1. For Attachment type, choose VPC.

   2. For Security groups, select a security group to associate with the endpoint.

   3. For Endpoint domain prefix, enter a custom identifier. This will be prepended to the DNS name that Verified Access generates. For this example, we can use my-ava-app.

   4. For Endpoint type, choose Load balancer.

   5. For Protocol, select HTTPS or HTTP. This depends on the configuration of your load balancer.

   6. For Port, enter the port number. This depends on the configuration of your load balancer.

   7. For Load balancer ARN, choose your load balancer.

   8. For Subnets, select the subnets associated with your load balancer.

6. For Policy definition, do not enter a policy at this time. We will cover this later in the tutorial.

7. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

8. Choose Create Verified Access endpoint.

Step 7: Configure DNS settings

For this step, you map your application's domain name (for example, www.myapp.example.com) to the domain name of your Verified Access endpoint. To complete the DNS mapping, create a Canonical Name Record (CNAME) with your DNS provider. After you create the CNAME record, all requests from users to your application will be sent to Verified Access.

To get the domain name of your endpoint

1. In the Amazon VPC navigation pane, choose Verified Access endpoints.

2. Select the endpoint that you created previously.

3. Choose the Details tab for the endpoint.

4. Copy the endpoint domain from under Endpoint domain.

For this tutorial, the endpoint's domain name will be my-ava-app.edge-1a2b3c4d5e6f7g.vai-1a2b3c4d5e6f7g.prod.verified-access.us-west-2.amazonaws.com.

Create a CNAME record with your DNS provider:

Record name	Type	Value
www.myapp.example.com	CNAME	my-ava-app.edge-1a2b3c4d5e6f7g.vai-1a2b3c4d5e6f7g.prod.verified-access.us-west-2.amazonaws.com

Step 8: Test connectivity to your application

You can now test connectivity to your application. Enter your application's domain name into your web browser. The default behavior of Verified Access policies is to deny all requests. Because we have not yet put a policy in place that would allow anyone access, all requests should be denied.

Step 9: Configure group-level access policy

Use the following procedure to modify the Verified Access group and configure an access policy that allows connectivity to your application. The details of the policy will depend on the users and groups that are configured in IAM Identity Center. For information about creating a policy, see Verified Access policies.

To modify a Verified Access group

1. In the Amazon VPC navigation pane, choose Verified Access groups.

2. Select your group.

3. Choose Actions, Modify Verified Access group policy.

4. Enter the policy.

5. Choose Modify Verified Access group policy.

Step 10: Re-test connectivity

Now that your group policy is in place, you can access your application. Enter your application's domain name into your web browser. The request should be allowed and you should be redirected to the application.

Clean up

After you are finished testing, follow the step below to delete the resources that were created.

To delete the Verified Access resources created with this tutorial

1. In the Amazon VPC navigation pane, choose Verified Access endpoints. Select the endpoint you want to remove. Choose Actions, Delete Verified Access endpoint.

2. In the navigation pane, choose Verified Access groups. Select the group you want to remove. Choose Actions, Delete Verified Access group. Note - you may need to wait a couple minutes until the endpoint deletion process is complete.

3. In the Amazon VPC navigation pane, choose Verified Access instances. Select the instance you created for this tutorial. Choose Actions, Detach Verified Access trust provider. Select the trust provider from the drop down list, choose Detach Verified Access trust provider.

4. In the Amazon VPC navigation pane, choose Verified Access trust providers. Select the trust provider you created for this tutorial. Choose Actions, Delete Verified Access trust provider.

5. In the Amazon VPC navigation pane, choose Verified Access instances. Select the instance you created for this tutorial. Choose Actions, Delete Verified Access instance.